Fix Nix build by not using Git in Cargo build scripts (#3551)

# Description of Changes

When building under Nix, Git metadata is not available within the
sandbox, as we use `lib.cleanSource` on our source directory. This is
important because it avoids spurious rebuilds and/or determinism
hazards.

The build was broken due to our new `spacetime init` template system
accessing Git metadata in the CLI's build.rs
to filter out non-git-tracked files from the templates. The Flake
sandbox does this automatically (even without `lib.cleanSource`!), so
when building under Nix it's unnecessary to do twice. (I remain
unconvinced that it's necessary to do in non-Nix builds either, as CI
builds should have a clean checkout and local dev builds don't need
clean templates, but the behavior was already in master and I didn't
feel comfortable removing it.)

As an enhancement, I've also found a Nix-ey way to embed our Git commit
hash in builds. Previously, builds under Nix had the empty string
instead of a commit hash, because we included the `git` CLI tool but
scrubbed the necessary metadata. Now, we inject an environment variable
from the Nix flake, and don't make the `git` CLI tool available at all.
This has the convenient upside of allowing Nix builds to reference
`dirtyRev` in builds with a dirty worktree, which should reduce
confusion.

# API and ABI breaking changes

N/a

# Expected complexity level and risk

3? I didn't have a strong understanding of what the CLI build script was
doing, and to what extent it was doing things intentionally versus for
convenience. As such, it's possible that I've inadvertently damaged
something load-bearing.

# Testing

- [x] Built with `nix build`, ran `spacetime init`, chose the
`basic-rust` template, and got a reasonable-looking template
instantiation.
- [ ] Hopefully we have automated tests for this?

Author: gefjon

crates/cli/build.rs

@@ -6,21 +6,59 @@ use std::process::Command;
 use toml::Value;
 
 fn main() {
-    let output = Command::new("git").args(["rev-parse", "HEAD"]).output().unwrap();
-    let git_hash = String::from_utf8(output.stdout).unwrap().trim().to_string();
+    let git_hash = find_git_hash();
     println!("cargo:rustc-env=GIT_HASH={git_hash}");
 
     generate_template_files();
 }
 
+fn nix_injected_commit_hash() -> Option<String> {
+    use std::env::VarError;
+    // Our flake.nix sets this environment variable to be our git commit hash during the build.
+    // This is important because git metadata is otherwise not available within the nix build sandbox,
+    // and we don't install the git command-line tool in our build.
+    match std::env::var("SPACETIMEDB_NIX_BUILD_GIT_COMMIT") {
+        Ok(commit_sha) => {
+            // Var is set, we're building under Nix.
+            Some(commit_sha)
+        }
+
+        Err(VarError::NotPresent) => {
+            // Var is not set, we're not in Nix.
+            None
+        }
+        Err(VarError::NotUnicode(gross)) => {
+            // Var is set but is invalid unicode, something is very wrong.
+            panic!("Injected commit hash is not valid unicode: {gross:?}")
+        }
+    }
+}
+
+fn is_nix_build() -> bool {
+    nix_injected_commit_hash().is_some()
+}
+
+fn find_git_hash() -> String {
+    nix_injected_commit_hash().unwrap_or_else(|| {
+        // When we're *not* building in Nix, we can assume that git metadata is still present in the filesystem,
+        // and that the git command-line tool is installed.
+        let output = Command::new("git").args(["rev-parse", "HEAD"]).output().unwrap();
+        String::from_utf8(output.stdout).unwrap().trim().to_string()
+    })
+}
+
+fn get_manifest_dir() -> PathBuf {
+    PathBuf::from(std::env::var("CARGO_MANIFEST_DIR").unwrap())
+}
+
 // This method generates functions with data used in `spacetime init`:
 //
 //   * `get_templates_json` - returns contents of the JSON file with the list of templates
 //   * `get_template_files` - returns a HashMap with templates contents based on the
 //                            templates list at crates/cli/templates/templates-list.json
 //   * `get_cursorrules` - returns contents of a cursorrules file
 fn generate_template_files() {
-    let manifest_dir = std::env::var("CARGO_MANIFEST_DIR").unwrap();
+    let manifest_dir = get_manifest_dir();
     let manifest_path = Path::new(&manifest_dir);
     let templates_json_path = manifest_path.join("templates/templates-list.json");
     let out_dir = std::env::var("OUT_DIR").unwrap();
@@ -121,7 +159,7 @@ fn generate_template_files() {
     write_if_changed(&dest_path, generated_code.as_bytes()).expect("Failed to write embedded_templates.rs");
 }
 
-fn generate_template_entry(code: &mut String, template_path: &Path, source: &str, manifest_dir: &str) {
+fn generate_template_entry(code: &mut String, template_path: &Path, source: &str, manifest_dir: &Path) {
     let (git_files, resolved_base) = get_git_tracked_files(template_path, manifest_dir);
 
     if git_files.is_empty() {
@@ -221,26 +259,103 @@ fn generate_template_entry(code: &mut String, template_path: &Path, source: &str
     code.push_str("    }\n\n");
 }
 
-// Get a list of files tracked by git from a given directory
-fn get_git_tracked_files(path: &Path, manifest_dir: &str) -> (Vec<PathBuf>, PathBuf) {
-    let full_path = Path::new(manifest_dir).join(path);
+/// Get a list of files tracked by git from a given directory
+fn get_git_tracked_files(path: &Path, manifest_dir: &Path) -> (Vec<PathBuf>, PathBuf) {
+    if is_nix_build() {
+        // When building in Nix, we already know that there are no untracked files in our source tree,
+        // so we just list all of the files.
+        list_all_files(path, manifest_dir)
+    } else {
+        // When building outside of Nix, we invoke `git` to list all the tracked files.
+        get_git_tracked_files_via_cli(path, manifest_dir)
+    }
+}
+
+fn list_all_files(path: &Path, manifest_dir: &Path) -> (Vec<PathBuf>, PathBuf) {
+    let manifest_dir = manifest_dir.canonicalize().unwrap_or_else(|err| {
+        panic!(
+            "Failed to canonicalize manifest_dir path {}: {err:#?}",
+            manifest_dir.display()
+        )
+    });
+
+    let template_root_absolute = get_full_path_within_manifest_dir(path, &manifest_dir);
 
     let repo_root = get_repo_root();
-    let repo_canonical = repo_root.canonicalize().unwrap();
 
-    let canonical = full_path.canonicalize().unwrap_or_else(|e| {
+    let mut files = Vec::new();
+    ls_recursively(&template_root_absolute, &repo_root, &mut files);
+
+    (files, make_repo_root_relative(&template_root_absolute, &repo_root))
+}
+
+/// Get all the paths of files within `root_dir`,
+/// transform them into paths relative to `repo_root`,
+/// and insert them into `out`.
+fn ls_recursively(root_dir: &Path, repo_root: &Path, out: &mut Vec<PathBuf>) {
+    for dir_ent in std::fs::read_dir(root_dir).unwrap_or_else(|err| {
+        panic!(
+            "Failed to read_dir from template directory {}: {err:#?}",
+            root_dir.display()
+        )
+    }) {
+        let dir_ent = dir_ent.unwrap_or_else(|err| {
+            panic!(
+                "Got error during read_dir from template directory {}: {err:#?}",
+                root_dir.display(),
+            )
+        });
+        let file_path = dir_ent.path();
+        let file_type = dir_ent.file_type().unwrap_or_else(|err| {
+            panic!(
+                "Failed to get file_type for template file {}: {err:#?}",
+                file_path.display(),
+            )
+        });
+        if file_type.is_dir() {
+            ls_recursively(&file_path, repo_root, out);
+        } else {
+            out.push(make_repo_root_relative(&file_path, repo_root));
+        }
+    }
+}
+
+/// Treat `relative_path` as a relative path within `manifest_dir`
+/// and transform it into an absolute, canonical path.
+fn get_full_path_within_manifest_dir(relative_path: &Path, manifest_dir: &Path) -> PathBuf {
+    let full_path = manifest_dir.join(relative_path);
+
+    full_path.canonicalize().unwrap_or_else(|e| {
         panic!("Failed to canonicalize path {}: {}", full_path.display(), e);
-    });
-    let resolved_path = canonical
-        .strip_prefix(&repo_canonical)
+    })
+}
+
+/// Transform `full_path` into a relative path within `repo_root`.
+///
+/// `full_path` and `repo_root` should both be canonical paths, as by [`Path::canonicalize`].
+fn make_repo_root_relative(full_path: &Path, repo_root: &Path) -> PathBuf {
+    full_path
+        .strip_prefix(repo_root)
         .map(|p| p.to_path_buf())
         .unwrap_or_else(|_| {
             panic!(
                 "Path {} is outside repo root {}",
-                canonical.display(),
-                repo_canonical.display()
+                full_path.display(),
+                repo_root.display()
             )
-        });
+        })
+}
+
+fn get_git_tracked_files_via_cli(path: &Path, manifest_dir: &Path) -> (Vec<PathBuf>, PathBuf) {
+    let repo_root = get_repo_root();
+    let repo_root = repo_root.canonicalize().unwrap_or_else(|err| {
+        panic!(
+            "Failed to canonicalize repo_root path {}: {err:#?}",
+            repo_root.display(),
+        )
+    });
+
+    let resolved_path = make_repo_root_relative(&get_full_path_within_manifest_dir(path, manifest_dir), &repo_root);
 
     let output = Command::new("git")
         .args(["ls-files", resolved_path.to_str().unwrap()])
@@ -263,12 +378,17 @@ fn get_git_tracked_files(path: &Path, manifest_dir: &str) -> (Vec<PathBuf>, Path
 }
 
 fn get_repo_root() -> PathBuf {
-    let output = Command::new("git")
-        .args(["rev-parse", "--show-toplevel"])
-        .output()
-        .expect("Failed to get git repo root");
-    let path = String::from_utf8(output.stdout).unwrap().trim().to_string();
-    PathBuf::from(path)
+    let manifest_dir = get_manifest_dir();
+    // Cargo doesn't expose a way to get the workspace root, AFAICT (pgoldman 2025-10-31).
+    // We don't want to query git metadata for this, as that will break in Nix builds.
+    // We happen to know our own directory structure, so we can just walk the tree to get to the root.
+    let repo_root = manifest_dir.join("..").join("..");
+    repo_root.canonicalize().unwrap_or_else(|err| {
+        panic!(
+            "Failed to canonicalize repo_root path {}: {err:#?}",
+            repo_root.display()
+        )
+    })
 }
 
 fn extract_workspace_metadata(path: &Path) -> io::Result<(String, BTreeMap<String, String>)> {

crates/lib/build.rs

@@ -3,7 +3,37 @@ use std::process::Command;
 // https://stackoverflow.com/questions/43753491/include-git-commit-hash-as-string-into-rust-program
 #[allow(clippy::disallowed_macros)]
 fn main() {
-    let output = Command::new("git").args(["rev-parse", "HEAD"]).output().unwrap();
-    let git_hash = String::from_utf8(output.stdout).unwrap();
+    let git_hash = find_git_hash();
     println!("cargo:rustc-env=GIT_HASH={git_hash}");
 }
+
+fn nix_injected_commit_hash() -> Option<String> {
+    use std::env::VarError;
+    // Our flake.nix sets this environment variable to be our git commit hash during the build.
+    // This is important because git metadata is otherwise not available within the nix build sandbox,
+    // and we don't install the git command-line tool in our build.
+    match std::env::var("SPACETIMEDB_NIX_BUILD_GIT_COMMIT") {
+        Ok(commit_sha) => {
+            // Var is set, we're building under Nix.
+            Some(commit_sha)
+        }
+
+        Err(VarError::NotPresent) => {
+            // Var is not set, we're not in Nix.
+            None
+        }
+        Err(VarError::NotUnicode(gross)) => {
+            // Var is set but is invalid unicode, something is very wrong.
+            panic!("Injected commit hash is not valid unicode: {gross:?}")
+        }
+    }
+}
+
+fn find_git_hash() -> String {
+    nix_injected_commit_hash().unwrap_or_else(|| {
+        // When we're *not* building in Nix, we can assume that git metadata is still present in the filesystem,
+        // and that the git command-line tool is installed.
+        let output = Command::new("git").args(["rev-parse", "HEAD"]).output().unwrap();
+        String::from_utf8(output.stdout).unwrap().trim().to_string()
+    })
+}

flake.nix

@@ -25,6 +25,11 @@
 
         inherit (pkgs) lib;
 
+        # Inject git commit in an env var around the build so that we can embed it in the binary
+        # without calling into `git` during our build.
+        # Note that `self.rev` is not set for builds with a dirty worktree, in which case we instead use `self.dirtyRev`.
+        gitCommit = if (self ? rev) then self.rev else self.dirtyRev;
+
         librusty_v8 = if pkgs.stdenv.isDarwin then
           # Building on MacOS, we've seen errors building rusty_v8 with a local RUSTY_V8_ARCHIVE:
           # https://github.com/clockworklabs/SpacetimeDB/pull/3422#issuecomment-3416972711 .
@@ -65,7 +70,6 @@
             pkgs.perl
             pkgs.python3
             pkgs.cmake
-            pkgs.git
             pkgs.pkg-config
           ];
           # buildInputs are libraries that wind up in the target build.
@@ -80,6 +84,7 @@
 
           # Include our precompiled V8.
           RUSTY_V8_ARCHIVE = librusty_v8;
+          SPACETIMEDB_NIX_BUILD_GIT_COMMIT = gitCommit;
         };
 
         # Build a separate derivation containing our dependencies,